Just as gambling has moved online, so too have the fraudsters, card sharps, conmen and now hackers that try to ‘beat the casino’.
That makes prime targets of organisations like bwin, the world’s largest online gaming and gambling site. The Austrian company operates 130 different games ranging from poker to Top Trumps, handles 70,000 financial transactions a day and last year earned €421 million in gross gaming revenues.
Miraculously, though, bwin has yet to experience a significant security breach. Credit for that achievement goes to the company’s 140-strong software development team, whose responsibility it is to ensure the security of not only the game applications themselves, but also the transaction system that sits behind them.
“We have, in my opinion, quite a lot more challenges [than other online businesses],” says bwin’s head of corporate security, Oliver Eckel. “We’re not like a warehouse where you sell something; online gaming is different because the customer’s wallet is held within the application. We have a lot of applications and therefore a lot of attack vectors.”
As the company has grown, so too has the complexity of its security challenge, forcing the organisation’s approach to security to evolve beyond firewall management and intrusion detection.
“We’re a fast-moving, fast-growing company, so we’re moving upstream with our security challenges,” explains Eckel. “As you move upstream, you get into application and organisational issues.”
According to bwin’s head of development, Christoph Haas, the company’s main defence has been its application-level approach to security, its focus on building ‘secure code’. “Since we have a lot of applications, secure code is one of the critical issues we face,” Eckel says.
But ensuring that 140 developers met the company’s exacting security requirements proved a complex management challenge, so in late 2007 Haas and Eckel oversaw the deployment of a software security assurance (SSA) solution from Fortify Software.
The SSA system analyses newly developed code for common security flaws, and returns a red, yellow or green result. “If we develop an app and the build is not green, then we don’t even deploy it to the test system,” explains Haas. Although it scrutinises their work and exposes their errors, the developers – who are involved in the process of evaluating various SSA solutions – have welcomed the deployment.
“They want to make secure applications, and they don’t want hacks into their software,” says Haas. A side effect of the Fortify deployment, he adds, is that the company can now quickly assess the quality and security of software it is considering acquiring, without the need for extensive reverse engineering: “Within half a day we can get quite a good understanding of the quality and security of software we may want to buy.”
But the most significant impact of the SSA deployment has been an unforeseen and positive impact on the interaction between the development team and the business. By providing an independent check on the security of a new application, it allows the business to balance commercial opportunity against information security threat.
The next step is integrating the dashboards for quality and security into a single ‘cockpit’ view for the application delivery process.
“Now we’re building [SSA] into the organisational framework,” Eckel says. “We’re moving away from IT security into business security.”